Australian Companies Will Soon Need to Report Ransom Payments

UPDATE

Australian companies may soon have to disclose to the government any ransom payments they surrender to ransomware attackers.

It wasn't so long ago that Australia's government was considering an outright ban on ransom payments across the country. That idea didn't survive, but a slightly softer rule was floated in a national cybersecurity strategy document published last November. In just a single sentence buried deep in that document, the government signaled its intention that "To stay ahead of the threat, we will co-design with industry options to legislate a no-fault, no-liability ransomware reporting obligation for businesses."

That obligation will be part of the country's upcoming Cyber Security Act, which is expected to be brought before parliament during its next sitting in just a couple of weeks' time. Businesses with annual turnover exceeding $3 million AUD ($1.96 million US) will be forced to report their ransom payments.

"The goal with such laws is to allow governments to have insight into funds going to bad actors, in order to be able to track those payments and hopefully bring criminals to justice," explains Beth Burgin Waller, chair of the Cybersecurity & Data Privacy practice at Woods Rogers Vandeventer Black (WRVB).

In Australia's case, "The proposed bill appears to mirror what we are seeing in the United States from CIRCIA (the Cyber Incident Reporting for Critical Infrastructure Act of 2022), which requires that covered entities report ransom payments within 24 hours of making a ransom payment to CISA," she explains. "The Australian proposed law is broader, though, in the sense that it appears to be for any business making a ransom payment, whereas it appears CIRCIA covers only 'covered entities,' which the current proposed CIRCIA regulations broadly define."

Will Forcing Ransom Disclosure Work?

Australia has been rocked by some major cyberattacks in recent years. In 2022, a breach of millions of consumer records struck the telecommunications company Optus. Shortly thereafter, a case of similar scope hit the health insurance provider Medibank. Last year, a cyber disruption downed four core ports around the country for a weekend. And there have been more.

The toll to Australia's economy has been significant. As former minister O'Neil noted in a forward to the 2023–2030 Australian Cyber Security Strategy, a cyber incident is reported to the government every six minutes. (Of course, that doesn't include all the incidents that don't get reported.) Ransomware, meanwhile, is responsible for $3 billion worth of damage to Aussie organizations annually, and cyberattack costs are rising 14% per annum.

Any hard and fast rules that help curb the problem inevitably affect different organizations differently. On one hand there are larger companies, which can handle the costs involved and stand to benefit the most from clearer regulations.

"With laws like this popping up locally across the globe, it creates a patchwork quilt of compliance for multi-national organizations with perhaps a headquarters in the United States but significant operations in Australia," Waller says.

Smaller organizations, meanwhile, have fewer resources to dedicate to cybersecurity, and less money to pay fines when they fall short. According to the Australian Broadcasting Company, the Australian Chamber of Commerce and Industry (ACCI) trade organization supports parts of the upcoming Cyber Security Act, but proposes that the minimum revenue threshold for businesses affected by the reporting rule should be $10 million. ABC also reports that fines for noncompliance will be just $15,000.

Incentive for Stronger Cyber Defenses

The hope, regardless, is that any potential negative side effects to the law will be outweighed by two primary benefits.

First, greater visibility for law enforcement. "A lack of visibility of the overall ransomware and cyber extortion threat limits the capacity of the government and private sector to support Australian organizations prepare for, and respond to, a ransomware or cyber extortion attack," a spokesperson with the Australian Department of Home Affairs said in a statement provided to Dark Reading. "Timely reporting of ransomware and cyber extortion incidents is needed to enhance whole-of-economy risk mitigation and preparedness and help tailor victim support services. This will ultimately bolster our collective security and strengthen our defences against future cyber attacks."

Another upside: more effective incentives for companies to better themselves. "Mandatory disclosures may prompt a reassessment of corporate practices regarding negotiations with cybercriminals," says Anne Cutler, cybersecurity evangelist at Keeper Security.

"With the knowledge they must disclose any ransom payments, business leaders may be persuaded to invest more heavily in preventive measures and robust incident response plans to avoid the financial and reputational scrutiny that comes with public disclosure," she says.

This story was updated at 10:15 a.m. ET on Aug. 2, 2024 to reflect the addition of comments from the Australian Department of Home Affairs.